Florida Harness Manuf. Takes Steps to be “CMMC Ready”
In the last issue of WHN, we took an in-depth look at the new Department of Defense (DoD) cybersecurity requirement called CMMC. If you are currently doing any work directly or indirectly for the DoD, you should be making steps to complete the requirements now. You can take a look at that article for free on our website by clicking “Read Past Issues” under the “More” tab at www.wiringharnessnews.com.
In a nutshell, the new framework provides enhancements to DFARS 252.204-7020 and NIST 800-171 cybersecurity guidelines. There are new protocols, but the major difference between the old guidelines and the new framework is that the previous rules allowed for shelf assessment. CMMC will require a third-party auditor to assure compliance.
As we stated in the article, the DoD has yet to complete training for auditors. Nonetheless, some companies are completing the requirements to be CMMC ready. One such company is Certified Manufacturing of Holt, Florida. Certified Manufacturing builds harnesses almost exclusively for programs in support of aerospace, space, and land defense systems. Pamela Bechtold, President, and Bob Bechtold Vice President/COO recently spoke about their journey through the new DoD cybersecurity framework.
A couple years back, the company was delivering an electromechanical assembly for a low-volume defense program. When they came back for the second round RFQ of that assembly, there was a new box to be checked. It was for a DFARS cybersecurity requirement that Certified Manufacturing hadn’t seen before. “They called and said they were ready to place the order, but we hadn’t checked the box. I told them I can’t do that without lying,” Bob recalled. The procurement office indicated there was no current system in place to verify compliance, they just seemed to want the box checked. But that just wasn’t an option for Bob and Pamela. Integrity had always been at the forefront of the company’s dealings, and that wasn’t about to change just to get an order. They respectfully “no quoted” the business.
They started to notice the DFARS requirement popping up in subsequent quotes, so Bob and Pamela knew it was time to take action. “We decided we were either going to be in this game, or we weren’t,” Bob recalled. He equated it to their decision to become AS9100 back in the early 2000’s. “Boeing said we were going to be AS9100 or we weren’t going to be in the game, and we made the decision this would be another qualification we would need to hold to stay in business.” They learned that the DFARS requirements were just the first step, and that the CMMC certification was the ultimate long-term solution as it was scheduled to come online in 2020/21.
When they first presented the requirements to their IT consultant, they hit a brick wall. “He said he couldn’t even read this stuff let alone guide us to compliance,” Bob remembered. Certified Manufacturing turned to the consulting outfit, FloridaMakes who helped them find an IT consulting firm dedicated to getting them up to speed in 90 days. The IT Consultant did a gap analysis to determine the steps to get them where they needed to be. “We had about 40 computers and a server,” Bob cited. “We are a small business, and we would just buy a new computer when one broke. We had everything from Windows 7 to Windows 10, with none of them running any real encryption.”
The new IT consultant took all the old computers, destroyed the hard drives in accordance with proper procedures, and replaced them with new computers and a more robust server. They then programmed everything with cutting-edge encryption technology. They also installed proprietary software so Bob and Pamela’s internal team could monitor the system in accordance with the new controls. “If you have a breach on some high-level information, you have to guarantee you can identify it, contain it and fix it within the amount of time specified by the CMMC requirements.”
The government has yet to complete the training for the new CMMC auditors, so the company is very careful about how they describe their achievements in documentation. “We say in all of our communications that we are CMMC Level III ready, implying that we are ready for certification.”
Certified Manufacturing is already reaping the benefits. “We’re actually bidding on a job right now for a major defense upgrade to one of the weapons systems, and we actually got written into the contract because we were Level III ready. I mean, we got in on a major job that is being implemented right now because of these efforts. We are seeing very big opportunities because we can say we are CMMC Level III ready. So, it’s real!”
As they wait for their official audit, this is how Certified Manufacturing is relating their cybersecurity status:
Certified Manufacturing is 100% compliant
to DFARS 252.204-7020, NIST 800-171 and 99.5% compliant to CMMC Level 3 (ready)
Read about the history of Certified Manufacturing in the next issue when WHN highlights them in the Company Profile.